Reputation: 18012
IDP and SP authentication flow without redirecting to the IDP
The standard SSO routine involves actively redirecting a user from the SP to the IDP and back. While this mechanism has several great advantages, the disadvantage is that the redirect may confuse users. ("Hey I was just on azure.com and now I am live.com huh?").
I would like to support a scenario in which a username/password login form is included in the website of the SP. In this specific scenario, I am both owner of the SP and IDP and have full control over its implementation. How would one achieve such a situation? I can imagine the following approach:
<form action="https://idp.contoso.com/login" method="post">
<input type="hidden" name="issuer" value="sp.contoso.com">
Username: <input type="text" name="username"><br>
Password: <input type="text" name="password"><br>
<input type="submit" value="Submit">
</form>
- Include above form in the website of the SP.
- IDP accepts POST, validates credentials and creates a SAML-response
- IDP returns website with an automatic submitting form that POST's the SAML-response to the issuer's SAML2 endpoint url (e.g. https://sp.contoso.com/saml)
- SP accepts POST, validates SAML response and builds a user session based on SP specific criteria
Is this a viable solution? If so, ss this in any way supported by standards compliant products like WSO2 Identity Server? If not, what is a proper way to authenticate an user against an IDP while using a login form from the SP?
Upvotes: 2
Views: 3569
Answers (2)
Reputation: 5821
I just tried out same type of scenario using WSO2IS, It contains some thing called request path autenticators which validates the user credentials that comes in the login request. Yes.. As an example, if you take SAML2 SSO scenario, SP can send SAML2 Auth request using POST binding to IDP. In the same request SP can send the end user's credentials that is retrieved from the login page of SP application. Then you would not see the login page in IDP and credential are retrieved from auth request and validates with IDP's user store. If success SAML2 response is generated. I have write some blog about it with sample Serivice provider application and WSO2IS, I hope it may be helpful for you. Please see it from here
Upvotes: 1
Reputation: 69280
The entire idea with deferring login to an external authority is to not have to deal with the login interface. In many cases the Idp uses smart cards, one time SMS codes or similar so it's not only a simple username/password combo to login in.
If you control both the SP and the Idp and want to avoid the redirect to the Idp, I think it's probably better to create an API on the Idp side that lets the SP supply a username/password and get an authentication result back directly. That result could be in the form of a SAML Assertion, but also something custom.
Upvotes: 3
Related Questions
- Implement Single Sign on in WSO2 API Manager though a external IDP for a single application
- WSO2 Identity Server as an IDP
- WSO2 Idp initiated SSO
- wso2is as SP with 3rd party IDP Initiated SAML
- WSO2 Identity Server SAML SSO return url
- How do you disable WSO2 Identity Server's Destination parameter check for samlp:AuthnRequest?
- SSO without Identity Provider Login Page
- SAML and OpenID SSO with WSO2 Identity server
- wso2is custom authenticationendpoint, redirect page not used
- Skip IDP authentication in SAML